A Manifesto for Labor in the Age of Artificial Intelligence

 

A Manifesto for Labor in the Age of Artificial Intelligence

R Kannan

As Labor Day 2026 arrives, the global workforce stands at a juncture as pivotal as the Industrial Revolution. Yet, unlike the steam engine, which replaced muscle with machinery, artificial intelligence (AI) is beginning to substitute, augment, and redefine the very cognitive processes that have defined human labour for centuries.

For the past decade, we have debated whether AI would lead to a "jobless future." Today, as we analyse the early evidence—including the sobering insights from the 2026 Joint ILO-World Bank working papers—we see that the reality is more nuanced, and perhaps more urgent. The question is no longer if AI will change the nature of work, but *how* we can govern that change to prevent the widening of global inequalities.

 

The Great Divergence: Exposure vs. Readiness

Recent data from the World Bank and the International Labour Organization (ILO) underscores a critical reality: AI’s impact is inherently uneven. In advanced economies, where digital infrastructure is ubiquitous, AI exposure is high—reaching up to 30–32% of employment. Here, the challenge is managing the transition for clerical and professional roles that are susceptible to automation.

Conversely, developing economies face a different, perhaps more insidious, risk. While their overall exposure to AI automation is lower, they suffer from a "readiness gap." As noted in the 2026 *Digital Progress and Trends Report*, the lack of robust digital connectivity and AI-ready infrastructure threatens to trap these nations in low-productivity cycles. If these countries cannot leapfrog into AI-enabled service delivery, they risk losing the traditional "escalator" to development: the expansion of manufacturing and service-sector jobs that previously pulled millions out of poverty.

The result is a looming "Great Divergence." If we leave market forces entirely to their own devices, we risk a world where the AI-dividend accrues disproportionately to capital-rich nations, while labour-rich developing nations struggle with stagnation.

Beyond Automation: The Augmentation Imperative

The fear of job displacement is palpable, but the IMF’s analysis of 2026 labour trends suggests a more complex dynamic: polarization. We are observing the emergence of a "skill premium" where workers who can leverage AI to augment their output see rising wages, while those in routine, non-complementary roles face wage suppression or displacement.

The goal for policymakers cannot be to stop the machine; it must be to change the machine’s objective function. Governments must move from a defensive stance—trying to protect obsolete jobs—to an offensive strategy of human-centric augmentation.

We must distinguish between AI that serves to replace human judgment and AI that serves to amplify it. Tax incentives should be restructured to reward firms that use AI to upskill their workforce, rather than those that simply use automation to trim headcount. This is not just a moral imperative; it is an economic one. As the World Bank’s 2026 Spring Meetings emphasized, "jobless growth" is a dead end. Sustainable development requires the active participation of the workforce in the value-creation process.

A Global Roadmap for Human-Centric AI

To navigate this transition, governments must adopt a comprehensive policy architecture. I propose a 12-point framework, built on the necessity of proactive governance:

 1. AI-Augmentation Incentives: Transition tax systems to prioritize "human-plus-AI" models. Corporations that retrain staff to work alongside AI should receive tax credits equivalent to capital investment incentives.

 2. Universal Lifelong Learning Accounts (ULLA):Education can no longer be a front-loaded, one-time investment. Governments should fund portable accounts, allowing workers to access modular, industry-certified training as market needs shift.

 3. Predictive Labor Market Intelligence: Using AI to govern AI, states should invest in predictive systems that identify, with 18-to-24-month lead times, which job roles are at risk, triggering proactive re-skilling pathways.

 4. Regulatory "Human-in-the-Loop" Standards: In high-stakes domains—healthcare, law, and financial advice—legislation must mandate human oversight, ensuring that AI provides decision-support rather than autonomous decision-making.

 5. Digital Public Infrastructure (DPI) Expansion: Governments must treat connectivity as a public utility. As India’s UPI model demonstrates, DPI lowers the cost of entry for small entrepreneurs, sparking mass-market job creation.

 6. Portable Social Security for the Gig Economy: The future of work is fragmented. We need a social safety net that follows the worker, not the workplace, covering health and retirement for gig and freelance contributors.

 7. Entrepreneurial Friction Reduction: Startups focused on "human-centric" technology—those that solve real-world problems in aging, education, and rural development—should face zero regulatory hurdles.

 8. Reskilling Mandates in Procurement: Public contracts should require that a percentage of the contract value be reinvested into local workforce development programs.

 9. Automation Levies: For high-profit, hyper-automated, labour-displacing processes, states should explore targeted levies. These funds must be ring-fenced exclusively for national reskilling initiatives.

 10. Curriculum-to-Industry Feedback Loops: National education councils must be redesigned to have industry leaders as permanent members, ensuring academic curricula are refreshed every 24 months.

 11. Collaborative AI Governance: Establish tripartite councils—government, industry, and academia—to set ethical and technical standards for AI deployment in the local economy.

 12. Inclusion for the "Last Mile": Prioritize digital literacy for rural and informal sectors to ensure that AI does not create a two-tiered economy of the "connected" and the "cut-off."

The Indian Laboratory: A Model for the Global South

India, with its vibrant demographic dividend and rapid digital maturation, stands as a critical microcosm for the world. The country’s path toward creating the millions of jobs required to eradicate poverty is no longer through mass assembly lines alone, but through a hybrid model of "High-Tech, High-Touch" development.

We see this already in the ten sectors of massive growth:

 The Green Transition: The shift to net-zero is perhaps the largest employment multiplier of the decade. From solar grid management to battery recycling, the "Green Collar" workforce is the future of sustainable labour.

 The Care Economy:  As the world ages, the "human touch" in nursing and elderly care is becoming an irreplaceable premium service. India is uniquely positioned to professionalize and scale this sector for domestic and global demand.

 The Creative Economy (AVGC):Animation, Visual Effects, Gaming, and Comics are not mere entertainment; they are the new frontier of digital manufacturing, leveraging India’s vast pool of artistic and technical talent.

The success of these sectors depends on integrating AI not as a competitor, but as a catalyst for efficiency. If India can successfully pilot this model—combining aggressive DPI expansion with massive, decentralized skill development—it will provide a template for the Global South to bypass the "middle-income trap" that AI threatens to worsen.

Conclusion

This Labor Day, we must resist the narrative of technological determinism. We are not passengers in a runaway train. We are the architects of the track.

The World Bank’s 2026 data serves as both a warning and a guide: technology will be an amplifier of existing trends. If we prioritize equity, it will accelerate progress. If we prioritize unfettered capital, it will accelerate inequality. The challenge of our time is to weave AI into the social fabric in a way that respects human dignity and expands the boundaries of what is possible for every worker, not just a privileged few.

The jobs of the future will be created by those who understand that the most potent technology in any economy is not the algorithm, but the human capacity to learn, adapt, and innovate. Our policy focus must be singular: to empower that capacity at scale.

 

The Fed’s High-Stakes Swan Song: Managing the Energy Mirage

 

The Fed’s High-Stakes Swan Song:  Managing the Energy Mirage

R Kannan

In the hallowed halls of the Eccles Building, the mood this week was not one of decisive action, but of studied, perhaps even anxious, deliberation. The Federal Open Market Committee’s (FOMC) decision to maintain the federal funds rate at 3.50% to 3.75%—a move widely telegraphed but nonetheless weighty—underscores the precarious tightrope walk facing American monetary policy. As Chair Jerome Powell conducted what may well be his final press conference, the committee’s message was clear: the Federal Reserve is not merely waiting for data; it is waiting for clarity in a fog of geopolitical and supply-side complexity.

 

For the casual observer, the decision to hold rates steady might look like passivity. Yet, a deeper reading of the minutes and the accompanying commentary reveals a fractured consensus. Three hawkish dissents on the forward guidance language serve as a flashing warning light, signalling that the unified front the Fed has projected for years is beginning to crack under the pressure of divergent economic theories and mounting uncertainty.

The central challenge, as articulated by the Fed, is a classic monetary paradox. We are currently witnessing an inflation profile that is undeniably elevated, driven significantly by a spike in global energy prices. Traditional macroeconomic doctrine dictates that when inflation remains sticky, the central bank must tighten the screws to dampen demand. However, the Fed is acutely aware that these same energy prices are functioning as a "stealth tax" on the American consumer. By increasing fuel and heating costs, this inflation shock is already actively cooling the economy, acting as a natural, albeit painful, brake on discretionary spending.

In this light, the Fed is trapped. To tighten policy further to combat the inflationary "shock" would be to risk over-correcting, potentially pushing a cooling economy into a needless contraction. To signal easing would be to risk unmooring inflation expectations at a time when the "back side" of the energy shock remains invisible. Thus, we are left with the "wait-and-see" posture—a stance that is academically defensible but increasingly risky in practice.

The institutional subtext of this meeting cannot be ignored. Chair Powell’s defence of the Fed’s independence and his commitment to "transparency and finality" regarding the ongoing legal and political pressures surrounding the institution felt like a closing argument. As the Fed prepares for a significant leadership transition in the coming months, the uncertainty surrounding who will helm the world’s most powerful central bank is beginning to bleed into market sentiment. When leadership is in flux, the temptation is often to default to the status quo. However, the American economy in mid-2026 is not a static environment. It is a dynamic system reacting to geopolitical volatility, shifting labour dynamics, and the lagging effects of previous policy adjustments.

The real danger in the current outlook is not just inflation or recession; it is policy obsolescence. If the Fed remains wedded to a data-dependent strategy that relies on lagging indicators while the structural underpinnings of the economy are shifting rapidly due to the energy crisis and geopolitical realignment, they risk fighting the last war. The labour market, while showing resilience, is beginning to fray at the edges, and the cooling of consumer confidence suggests that the "soft landing" narrative is becoming harder to justify.

Looking ahead, the next few months will be a crucible for the institution. If the energy shock persists, the Fed will have to confront the reality that its dual mandate—maximum employment and price stability—is increasingly in conflict. We can no longer assume that a cooling economy will automatically be cured by lower energy prices, nor that inflation will dissipate without more aggressive intervention.

For the American economy, the outlook for 2026 remains cautiously pessimistic. We are moving toward a period where "no news is bad news." Stagnant policy in the face of dynamic global challenges is effectively an admission that the Fed has run out of easy levers. As the committee waits for the "back side" of the energy spike, businesses and households are left to navigate a high-interest-rate environment that is increasingly disconnected from the reality of tightening margins and slowing growth.

The Fed’s swan song under Powell is a reminder that central banking is not a science; it is a precarious art. By choosing to hold steady, the committee has bought itself time, but it has not bought itself a solution. The transition in leadership will be the ultimate test of the institution’s durability. For the American public, the hope must be that the next chapter of Fed policy offers more than just a continuation of the current, agonizing equilibrium. We need a central bank that is not just attentive to the risks on both sides of its mandate, but one that is willing to define a path forward that recognizes the world as it is today, not as we hope it will be tomorrow.

 

 

The Great Fragmentation: Mapping the New Contours of Global Trade

 The Great Fragmentation: Mapping the New Contours of Global Trade

R Kannan

For nearly three decades after the fall of the Berlin Wall, the narrative of global trade was one of relentless, borderless integration. The "End of History" was supposed to be paved with container ships, low tariffs, and the hyper-efficiency of just-in-time supply chains. Today, that world is unravelling. In its place, a more fractured, securitized, and complex landscape is emerging—what economists at the International Monetary Fund (IMF) and the World Bank are increasingly labelling "Gated Globalization."

 

From the financial hubs of Mumbai to the volatile shipping lanes of the Red Sea, the signals are clear: the era of efficiency-first trade is being replaced by an era of security-first trade. According to the latest reports from the World Trade Organization (WTO) and the United Nations, global trade is undergoing its most profound structural shift since the founding of the General Agreement on Tariffs and Trade (GATT) in 1947.

The Rise of "Geoeconomic Fragmentation"

The primary driver of this shift is the increasing weaponization of trade policy for geopolitical ends. In its World Economic Outlook (April 2026), the IMF warns that "geoeconomic fragmentation" is no longer a theoretical risk but a present reality. US effective tariff rates, which sat at roughly 2.4% in late 2024, surged to 15% by the end of 2025—the highest levels since the post-World War II reconstruction era.

This is not merely a bilateral dispute between the U.S. and China. Fragmentation is spreading across the G20 and beyond. The European Union has implemented new "strategic autonomy" safeguards on steel and chemicals, while Mexico recently introduced surcharges of up to 50% on a range of imports to protect domestic industries from perceived dumping. The Wall Street Journal reports that trade policy is now being "shaped by security and political considerations rather than efficiency or multilateral rules," leading to a world where trade blocks are increasingly insular.

From Offshoring to "Friend-Shoring"

The most visible trend in this new era is the death of the traditional "offshoring" model. During the "hyper-globalization" phase (2002–2007), companies moved production to wherever labour and capital costs were lowest. Today, the focus has shifted to "Resilience" and "De-risking."

UNCTAD’s 2025 reports highlight a sharp resurgence in "Friend-shoring"—the practice of restructuring supply chains to favour trade with politically aligned partners. This trend is particularly pronounced in strategic sectors such as semiconductors, electric vehicles (EVs), and critical minerals. In these industries, countries are prioritizing "technological sovereignty" over pure cost-efficiency.

As a result, we are seeing the emergence of new regional hubs. While US imports from China have dropped sharply in relative terms, countries like Vietnam, Taiwan, and Mexico have seen a surge in trade volume. However, the IMF cautions that this is often "indirect trade." Many goods are still manufactured with Chinese components and merely assembled in "friendly" third countries, creating a more opaque, more expensive, and potentially more fragile version of the old global supply chain.

The Digital Paradox: Services in an Age of Barriers

While trade in physical goods faces significant headwinds, digital trade is moving in the opposite direction. The WTO’s World Trade Report 2024 emphasizes that digitally delivered services—ranging from streaming and software to remote professional services and AI architecture—are the fastest-growing segment of global trade.

This "Digital Paradox" suggests that while it is becoming harder to ship a car or a turbine across a border due to physical and regulatory hurdles, it is becoming easier to ship the software that runs them. UNCTAD estimates that growth in digital services trade will continue to outpace goods trade through 2026. However, a new threat looms: data localization laws. The Financial Times notes that if data is treated as a "national asset" that cannot leave borders, digital trade could soon face its own version of the high tariffs currently hitting the manufacturing sector.

The Green Trade Revolution and Carbon Protectionism

Climate change is also rewriting the rules of the game. The "Green Transition" is fostering a new, more sophisticated type of protectionism. Governments are increasingly using massive subsidies and "carbon border adjustment mechanisms" (CBAMs) to protect domestic green industries while penalizing carbon-intensive imports.

The World Bank’s Trade Fragmentation Research Initiative notes that while these policies aim to reduce global emissions, they often create uncoordinated trade barriers that disproportionately hurt low-income economies. Developing nations, many of which are commodity-dependent, face heightened price volatility as they struggle to adapt to the rigorous green standards imposed by advanced economies like the EU. This "Green Squeeze" is becoming a central point of contention in North-South trade relations.

The Role of Financial Stability and Gold

As the trade landscape fragments, the financial foundations of global commerce are also shifting. The New York Times reports a significant increase in central bank gold purchases, particularly in emerging markets, as a hedge against a weakening or "weaponized" US dollar.

The volatility of the dollar, combined with the rise of regional currencies in trade settlements (such as the "petro-yuan" or local currency settlement systems in ASEAN and BRICS+), is complicating the traditional "dollars-for-goods" model. The IMF warns that a multi-currency trade world, while potentially more diverse, carries higher transaction costs and greater exchange rate risks for small-to-medium enterprises.

Re-Globalization vs. De-Globalization: The Path Forward

Despite the prevailing gloom, the WTO argues that we are not witnessing the end of globalization, but its "re-globalization." The World Trade Report 2024 makes a passionate case that trade remains the most effective tool for income convergence and poverty reduction. The challenge, according to the UN’s World Economic Situation and Prospects, is that the benefits of trade are currently being concentrated among a few "aligned" blocks, leaving the most vulnerable nations behind.

Reforming the dispute settlement mechanism—which has been paralyzed for years—and addressing the specific needs of the Global South will be critical to preventing a total collapse of the rules-based order.

Conclusion: A World of "Episodic Shocks"

As we move toward 2027, the global economy appears to have entered a period where "fragility and episodic shocks are increasingly structural features," per the IMF. For global corporations and national governments, the strategy is no longer about maximizing growth at all costs, but about managing risk in a world that is less coordinated and more risk-averse.

The "Great Convergence" that defined the early 21st century has stalled. In its place, we find a world of "strategic power gaps" being filled by regional alliances and protective walls. Global trade is not dying, but it is becoming a much more expensive and complicated game to play. The winners in this new era will not be those with the lowest costs, but those with the most resilient and politically astute supply networks.

 

The Mythos of Security: Why AI-Driven Exploitation Demands a "Biological" Defence

The Mythos of Security: Why AI-Driven Exploitation Demands a "Biological" Defence

By R. Kannan

The traditional perimeter of global enterprise has not just been breached; it has been rendered obsolete. In April 2026, the release of frontier models like Anthropic’s Claude Mythos signalled a permanent shift in the balance of power between the digital lock and the digital pick. We have entered the era of autonomous exploitation, where software vulnerabilities—some lying dormant for nearly three decades—are being unearthed and weaponized in minutes by machine intelligence.

For the modern CEO and the boards they report to, the message is chilling: the window of opportunity for human-led defence has shrunk from months to mere seconds. If our defensive posture remains anchored in human reaction times and periodic audits, we are essentially fighting a supersonic war with a cavalry mindset.

 

 

To address the exponential threat posed by autonomous exploitation models like Claude Mythos, defensive strategies must evolve from static checklists to dynamic, machine-speed ecosystems.

What to do

I. Strategic Infrastructure & Governance

Establish an AI Threat War Room

A traditional Security Operations Centre (SOC) is reactive, often mired in "alert fatigue." The AI Threat War Room is a proactive command centre staffed by "Purple Teams"—specialists who blend offensive (Red) and defensive (Blue) tactics.

• Offensive Synthesis: The team utilizes adversarial AI to simulate multi-stage attacks. This involves "LLM-orchestrated" fuzzing, where the AI generates millions of permutations of inputs to break your proprietary software.
• Predictive Remediation: Instead of waiting for a CVE (Common Vulnerabilities and Exposures) to be published, this unit identifies "silent" weaknesses in logic and business workflows that traditional scanners miss.
• Executive Oversight: This room provides the Board with a real-time "Resilience Scorecard," translating technical vulnerabilities into enterprise risk metrics.

Zero-Trust Architecture (ZTA)

The "Castle and Moat" philosophy is dead. ZTA operates on the mantra: "Never Trust, Always Verify."

• Identity-as-the-New-Perimeter: Access is not granted based on being "on the office Wi-Fi." Every request—from a CEO's laptop or a cloud microservice—requires cryptographic verification and device health attestation.
• Contextual Risk Engines: ZTA uses AI to analyse the "signals" of a login. If a user logs in from Mumbai but their device lacks the latest security patch, or the typing cadence (biometrics) doesn't match, access is denied or "stepped up" to higher authentication.
• Least Privilege Enforcement: Users only see the applications necessary for their specific role. This "darkens" the rest of the network to a potential attacker.

Aggressive "Technical Debt" Liquidation

Legacy systems (Mainframes, old Windows servers, unpatched ERPs) are "sitting ducks" for AI like Mythos, which can scan decades-old codebases in seconds.

• Vulnerability Aging Analytics: Categorize all software by its "exploitability age." Any system running code that hasn't been refactored in 5+ years should be moved to an "Isolated Legacy Zone."
• The "Sunsetting" Mandate: Establish a rigid policy where "End-of-Life" (EOL) means immediate disconnection. If a business unit requires an EOL tool, they must pay a "Security Tax" to fund its modernization.
• Cloud-Native Migration: Prioritize moving legacy workloads to "Serverless" or "Containerized" environments where the underlying infrastructure is patched automatically by the cloud provider.

Micro-Segmentation

In a flat network, one compromised password leads to a total data breach. Micro-segmentation creates "digital bulkheads" similar to a submarine.

• Application-Level Isolation: Every application is wrapped in its own micro-perimeter. A breach in the "Marketing Analytics" tool cannot jump to the "Payroll Database."
• Dynamic Policy Generation: Using AI to observe traffic patterns, the system automatically drafts firewall rules that allow only necessary communication (e.g., "Web Server A can only talk to Database B on Port 443").
• Blast Radius Limitation: Even if an AI agent gains "Admin" rights within one segment, it finds itself trapped in a "cell," unable to see or reach other critical enterprise assets.

Software Bill of Materials (SBOM)

Modern software is a "Lego set" of third-party libraries. If one small library (like Log4j) is vulnerable, your entire enterprise is at risk.

• Supply Chain Transparency: Demand a machine-readable SBOM (in formats like CycloneDX) from every software vendor. This is essentially a "list of ingredients."
• Real-Time Dependency Mapping: If an AI model discovers a zero-day in an obscure open-source library, your SBOM system should instantly flag every application in your company that uses it.
• VEX (Vulnerability Exploitability eXchange): Integrate SBOMs with VEX data to determine not just if a "vulnerable library" exists, but if the library is actually "reachable" and "exploitable" in your specific configuration.

II. AI-Native Defence Operations

Deploy "Virtual Patching"

The "Vulnerability-to-Patch" gap is where hackers win. It takes humans weeks to test and deploy a patch; AI exploits the bug in minutes.

• Immediate Shielding: When a vulnerability is identified, a Web Application Firewall (WAF) or an Intrusion Prevention System (IPS) applies a "virtual patch"—a rule that specifically blocks the traffic pattern required to exploit that bug.
• Zero-Downtime Security: This allows the company to stay protected without rebooting critical servers or disrupting business operations while developers work on the permanent code fix.
• Automated Signature Generation: Advanced defence tools can now analyse a new exploit and write their own virtual patch rules in milliseconds.

Automated Red Teaming

Security is no longer a "once-a-year" audit. It is a continuous battle.

• Continuous Adversarial Simulation: Deploy "Defensive AI" agents that act as "Chaos Monkeys." They constantly try to trick your employees with AI-generated phishing, probe your cloud buckets for misconfigurations, and attempt to crack passwords.
• Evidence-Based Security: Instead of wondering "Are we secure?", you have a daily report of exactly which attacks were attempted and which ones were stopped.
• Evolving Defence: As the Red Team AI learns new tricks from global threat intelligence, your Blue Team (defenders) automatically receives updates on how to counter those specific techniques.

Agentic SOC Orchestration

The human brain cannot process 100,000 security alerts per day. Agentic AI can.

• Reasoning-Capable Agents: Unlike old automation (which followed "If-This-Then-That" rules), Agentic AI can "think." It can see an alert, decide to look at the user's recent emails, check the server logs, and determine if the activity is a real attack or a false alarm.
• Automated Remediation: If a breach is confirmed, the AI agent can autonomously isolate the infected laptop, reset the user's password, and notify the legal team—all in under 30 seconds.
• Cross-Tool Intelligence: These agents act as a "connective tissue" between your firewall, your email security, and your cloud logs, creating a unified defence narrative.

Outbound Traffic Filtering (Egress Control)

Most security focuses on who is entering the network. In the age of data theft, who is leaving is more important.

• "Default Deny" for Outbound: Production servers should never be able to browse the general internet. They should only be allowed to talk to specific, pre-approved update sites or APIs.
• Command & Control (C2) Blocking: When an AI agent infects a system, it must "call home" to receive instructions. Rigorous outbound filtering breaks this link, rendering the malware "blind and deaf."
• Data Exfiltration Prevention: Use AI to monitor the volume and destination of outgoing data. A sudden 50GB transfer to an unknown IP address in a foreign country should be blocked instantly.

Behavioural Anomaly Detection

Hackers today don't "break in," they "log in" using stolen or AI-guessed credentials.

• User & Entity Behaviour Analytics (UEBA): Establish a "baseline of normal" for every employee. If a Corporate Advisor who usually reads "Strategic Reports" suddenly starts downloading "SQL Database Schemas," the system flags the behaviour as an anomaly.
• Time & Velocity Checks: If an account logs in from Mumbai at 9:00 AM and from London at 9:05 AM, the system detects "impossible travel" and locks the account.
• Process Integrity: Monitor how software behaves. If the "Calculator" app suddenly tries to access the "Microphone" or the "Keychain," the AI defence identifies this as a "Process Injection" attack and kills the task.

 

Expert Insight for the Board: The transition to these  steps requires a cultural shift from "Security as a Cost Centre" to "Cyber-Resilience as a Competitive Advantage." In 2026, the companies that survive Claude Mythos-style attacks will be those that treat their digital infrastructure as a living, self-healing organism.

To combat the speed of Claude Mythos, your Identity, Supply Chain, and Recovery protocols must shift from "static barriers" to "dynamic ecosystems."

III. Identity & Access Management (IAM)

Just-in-Time (JIT) Privileges

In a traditional setup, an admin has "god-mode" keys 24/7. If an AI compromises that account at 2 AM, it’s game over. JIT turns these into "Cinderella permissions."

• Ephemeral Tokens: Access is granted via a temporary token that expires in 30, 60, or 120 minutes. Once the task is done, the "key" dissolves.
• Approval Workflows: For high-risk systems, the AI defensive layer requires a "second set of eyes" (human or a verified secondary AI) to authorize the elevation of privileges.
• Zero Standing Risk: By ensuring no one has permanent admin rights, you remove the most valuable target from the attacker’s map. Even if a password is stolen, it grants zero power until a JIT request is validated.

Non-Human Identity (NHI) Governance

Modern enterprises have 10x more "bot" identities (API keys, service accounts, secrets) than human ones. Mythos targets these because they rarely have MFA.

• Secret Rotation: Automatically rotate API keys and passwords every 24 hours. This shrinks the "usability window" for a stolen credential.
• Scoped Permissions: Ensure a service account meant to "Read Weather Data" doesn't have the permission to "Delete Database."
• NHI Discovery: Use AI to find "orphaned" accounts—old bots left behind by former developers that still have access to production environments.

Phishing-Resistant MFA

Traditional 2FA (SMS or App Push) is now trivial for AI to bypass via "MFA Fatigue" attacks or proxy-phishing sites.

• FIDO2 / WebAuthn: Shift to hardware keys (YubiKeys) or device-level Passkeys. These use asymmetric cryptography; the secret never leaves the hardware, making it impossible for an AI to "intercept" the code.
• Eliminating the "Human Hook": By removing the need for a user to type a 6-digit code, you remove the opportunity for an AI to trick them into typing that code into a fake website.

Contractor Credential Hardening

External partners are the "Trojan Horse" of the modern enterprise.

• Siloed Environments: Contractors should work in isolated Virtual Desktop Infrastructures (VDI). They see a screen, but the data never actually touches their local machine.
• Time-Bound Access: Contractor accounts should automatically disable themselves every Friday evening and require re-validation every Monday morning.
• Monitoring "Normalcy": If a contractor’s account usually accesses three specific folders but suddenly starts scanning the entire network, the AI defence should terminate the session instantly.

IV. Development & Supply Chain Security

AI-Integrated CI/CD Pipelines

If your developers are using AI to write code, your security must use AI to check it.

• Static & Dynamic Analysis (SAST/DAST): Integrate "Guardrail AI" into the deployment pipeline. If code contains a logic flaw that Mythos could exploit, the build is "broken" and cannot be deployed to the cloud.
• AI Code Review: Use Large Language Models trained specifically on cybersecurity to read pull requests, flagging not just syntax errors but "semantic vulnerabilities" (e.g., insecure handling of user data).

Managed Artifact Repositories

The "Open Source" world is a minefield of poisoned packages.

• Quarantine Zones: All new libraries downloaded from the internet must sit in a "quarantine repository" for 24 hours while an AI red-teams them for hidden backdoors.
• Version Pinning: Never use the "latest" version of a tool automatically. Use a verified version that has been vetted by your internal security team.
• Digital Signatures: Ensure every piece of code used in your production environment is digitally signed, proving it hasn't been tampered with since it was vetted.

SaaS Posture Management (SSPM)

A single "Public" checkbox in a Salesforce or S3 bucket can leak millions of records.

• Configuration Drift Detection: AI constantly compares your current SaaS settings against a "Golden Standard." If a user accidentally makes a Slack channel public, the SSPM tool switches it back to private automatically.
• Cross-Platform Visibility: Get a single dashboard that shows the security health of Microsoft 365, AWS, ServiceNow, and Zoom simultaneously.

Data Loss Prevention (DLP) for GenAI

Employees often "leak" secrets by asking public AI models to "debug this code" or "summarize this confidential meeting."

• AI Firewalls: Intercept prompts sent to public LLMs. If the prompt contains a credit card number, a private API key, or internal IP addresses, the system redacts the data before it leaves the company.
• Enterprise AI Tunnels: Provide employees with internal, "sanitized" versions of AI tools (like a private instance of Claude or ChatGPT) where the data stays within your corporate boundary and is not used for training.

V. Resilience & Recovery

Immutable Backups

Ransomware now targets backups first to ensure you have to pay.

• WORM Storage: Use "Write Once, Read Many" technology. Once data is backed up, it physically cannot be modified or deleted by any user (even an admin) for a set period (e.g., 30 days).
• Air-Gapped Copies: Keep one copy of your most critical data entirely offline. If the cloud is compromised, the "Gold Copy" remains untouched.
• Automated Recovery Testing: Use AI to constantly "rehearse" the recovery of your data. If a backup is corrupted, you need to know before the disaster strikes.

AI-Specific Tabletop Exercises

Traditional disaster drills are too slow. You need "War Games" for the AI era.

• Hyper-Speed Simulations: Run drills where the "attack" happens in real-time. Can your team make a decision in 2 minutes? If not, what parts of the decision-making process can be handed over to an AI agent?
• The "Human-in-the-Loop" Test: Determine exactly where a human must be involved and where they are just a bottleneck.
• Psychological Readiness: Train staff to recognize "Deepfake" audio or video from the CEO asking for emergency fund transfers or password resets—a hallmark of Mythos-era social engineering.

The New Bottom Line: MTTR vs. MTTD

In the past, we focused on Mean Time to Detection (MTTD)—how long until we see them? In the era of Claude Mythos, detection is instant because the AI is loud and fast. The only metric that matters now is Mean Time to Remediation (MTTR).

Conclusion

The release of Claude Mythos is a "Sputnik moment" for global enterprise. It has exposed the fragility of the digital foundations upon which the global economy is built. However, this is not a counsel of despair. It is a call for an evolutionary leap.

By adopting AI-native defence, embracing zero-trust, and focusing on the speed of remediation over the height of the wall, companies can build a new kind of resilience. We cannot stop the AI from finding the weak points, but we can build systems that are too fast, too segmented, and too "biologically" adaptive for those weak points to matter. The future belongs to the agile, the autonomous, and the resilient. The era of the "unbreakable" castle is over; the era of the self-healing organism has begun.

 

India’s “Scale-Based” Approach to Shadow Banking

 

India’s “Scale-Based” Approach to Shadow Banking

R Kannan

For decades, India’s Non-Banking Financial Companies (NBFCs) operated in a regulatory "grey zone." While they were essential engines of credit—reaching the MSMEs and rural pockets that traditional banks often ignored—they were frequently dismissed as "shadow banks". The dual crises of IL&FS and DHFL served as a brutal wake-up call, proving that some NBFCs had become "too big to fail" while remaining regulated like small, local lenders.

As we progress through 2026, the Reserve Bank of India (RBI) has fully operationalized its Scale-Based Regulation (SBR) framework. This four-tiered pyramid—comprising the Base, Middle, Upper, and Top layers—is not merely a bureaucratic reclassification. It is a sophisticated, "ownership-neutral" regime designed to ensure that as India marches toward a $7 trillion economy, its credit engine remains a "financial fortress" rather than a house of cards.

 

The End of "One Size Fits None"

The core philosophy of SBR is proportionality. In the past, small gold-loan shops were often drowning in paperwork designed for giants, while systemic giants exploited loopholes intended for small shops. The 2026 mandate shifts the intensity of supervision to match the "systemic risk" an entity poses.

At the bottom of the pyramid lies the Base Layer (NBFC-BL), representing over 90% of the industry. By keeping this layer "lean"—exempting them from needing highly specialized, regulator-vetted appointees like a Chief Risk Officer (CRO)—the RBI has created an innovation hub. This allows Fintechs and P2P lenders to experiment and grow without being stifled by the compliance costs of a commercial bank.

The Professionalization Threshold: The Middle Layer

Once an NBFC crosses the ₹1,000 crore asset threshold or begins taking public deposits, it enters the Middle Layer (NBFC-ML). This is the "Professionalization Threshold". Here, the entity is no longer treated as a simple company but as a formal financial institution.

The requirements become significantly more stringent: mandatory appointment of an independent CRO with a fixed tenure to ensure they can say "no" to risky loans without fear of termination. Furthermore, these entities must now transition to the Expected Credit Loss (ECL) framework, providing for potential bad loans based on forward-looking probability rather than waiting for an actual default.

Ownership Neutrality: The Upper Layer Revolution

The most significant pivot in 2026 is the move toward an "ownership-neutral" regime in the Upper Layer (NBFC-UL). Historically, government-owned NBFCs enjoyed exemptions from certain stringent standards. No longer. Massive state-run entities like PFC, REC, and IRFC are now classified as Upper Layer if they meet the criteria, forcing them to adhere to the same capital adequacy and governance standards as their private-sector counterparts. This eliminates "regulatory arbitrage" and ensures that the largest players in the economy—regardless of who owns them—are held to a uniform standard of excellence.

The identification for this elite club (typically 15–20 entities) has also been simplified for transparency. Any entity with an asset size of ₹1,00,000 crore and above is now automatically classified as Upper Layer.

Market Discipline as a Co-Regulator

The RBI is no longer the only one watching the giants. A key pillar of the 2026 strategy is the mandatory listing requirement. Once identified as "Upper Layer," an NBFC has a three-year clock to go public. The logic is brilliant: stock market investors serve as a real-time "early warning system". If a giant NBFC begins hiding bad loans, the stock price will likely tank long before a quarterly audit catches the discrepancy.

To further bolster this "fortress," Upper Layer NBFCs must maintain a Common Equity Tier 1 (CET1) capital buffer of at least 9%, mirroring the Basel III requirements applied to global banks. They must also conduct rigorous Internal Capital Adequacy Assessment Processes (ICAAP)—essentially "stress tests" to prove they can survive an economic downturn.

The "Regulatory ICU": The Top Layer

The Top Layer (NBFC-TL) remains, by design, empty. It serves as a "Red Zone" or "Regulatory ICU". If the RBI identifies an Upper Layer entity as behaving recklessly or exhibiting a liquidity spiral, they can "promote" them to this layer. This is not an honour; it is a lockdown. The RBI can impose immediate restrictions on management compensation, dividend payouts, and branch expansion—a final warning before a forced merger or license cancellation.

Modernizing for 2026: AI, Climate, and Data

The SBR framework has evolved to meet the specific technological and environmental challenges of 2026:

• Responsible AI: For entities using algorithms for credit underwriting, the Board must now personally approve a "Responsible AI" framework to prevent "algorithmic bias" from excluding vulnerable demographic segments.
• Climate Risk: Upper Layer NBFCs are now mandated to disclose their exposure to climate-sensitive sectors like fossil fuels, marking the beginning of "ESG-linked" regulatory monitoring.
• Real-Time Data: The transition from the old "XBRL" reporting to the Centralized Information Management System (CIMS) allows for an automated, granular data flow. This enables the RBI to perform "off-site surveillance" in near real-time, catching systemic stress before it boils over.

Ease of Doing Business: The Type I Revolution

While the "top" of the pyramid faces bank-like rigor, the RBI has also introduced significant relief for the "bottom." The new "Unregistered Type I" category allows investment vehicles and family offices with no customer interface and no public funds to deregister if they stay below the ₹1,000 crore threshold. This removes the RBI from micromanaging closed-loop entities, allowing the regulator to focus its resources on firms that actually impact retail consumers.

Conclusion: Planning for "Regulatory Graduation"

The message for NBFC CEOs in 2026 is clear: don't just plan for business growth; plan for "Regulatory Graduation". Growing from ₹990 crore to ₹1,010 crore is the "most expensive ₹20 crore a company will ever make" because of the "compliance cliff" that follows—suddenly requiring Audit and Risk Management Committees.

By creating a dynamic, scale-based framework that evolves with the economy, India has turned its NBFC sector from a source of systemic anxiety into a source of global confidence. This "moat" of trust is exactly why foreign institutional investors are pouring billions into Indian non-banks. India hasn't just regulated its shadow banks; it has brought them into the light, ensuring they are strong enough to power the nation’s future.

Summary of SBR Layers (2026 Standards)

Layer	Key Criteria	Compliance Intensity
Base	Assets < ₹1,000 Cr	Baseline governance; 90-day NPA recognition
Middle	Assets ≥ ₹1,000 Cr; Deposit-taking	Independent CCO; ECL Framework; CRO mandate
Upper	Assets ≥ ₹1,00,000 Cr	Mandatory Listing; CET1 Buffers (9%); Large Exposure Framework
Top	High systemic risk (Empty by design)	Stricter than Bank-level regulations; restrictions on dividends/compensation

 

RBIs “Biopsy” Approach to Banking is the Global Gold Standard

 

R Kannan

For decades, banking supervision in India followed the logic of an autopsy. When a financial institution failed or a massive fraud was unearthed, regulators and auditors would descend upon the remains to perform a post-mortem. By the time the "cause of death" was determined, the capital was gone, and the public’s trust was often buried with it.

 

As we navigate 2026, the Reserve Bank of India (RBI) has fundamentally rewritten this script. We have moved from the era of "Post-Facto" regulation to the era of the "Live" Financial Institution. The RBI’s shift to a continuous, tech-driven, and risk-sensitive supervisory regime is not just a policy update; it is a paradigm shift that turns compliance from a back-office burden into the very fabric of a bank’s code.

From Snapshots to Motion Pictures

The centrepiece of this transformation is the transition from periodic manual oversight to real-time monitoring through the Centralized Information Management System (CIMS). Traditionally, compliance was a "snapshot"—a monthly or quarterly audit that captured a moment in time. Today, it is a "motion picture".

Through CIMS, regulated entities (REs) now provide structured data feeds that allow the RBI to monitor liquidity and solvency daily. This eliminates the "lag time" that once gave bad actors or incompetent management the shadows they needed to hide systemic stress. By demanding 24/7 compliance, the RBI has ensured that the "health" of the Indian financial system is always visible, in high definition.

The Rise of SupTech and the End of "Black Boxes"

The RBI’s adoption of Supervisory Technology (SupTech)—using AI and Machine Learning to scan vast amounts of bank data—has levelled the playing field. Compliance is no longer just about what a bank chooses to report; it is about what the RBI’s algorithms discover. This "God View" of banking uses active probes like the DAKSH platform to "pull" raw data directly from banks, ensuring a "Single Version of Truth". A bank can no longer show one NPA figure to the public and a different one to the regulator.

However, with great power comes great accountability. As banks adopt Generative AI and "Agentic AI" for credit scoring, the RBI has wisely mandated a "Responsible AI" framework. We have moved beyond the era of "black box" algorithms. Today, banks must provide audits of AI "explainability" to ensure that loan rejections or credit limits are not influenced by hidden biases that lead to financial exclusion.

Killing the Culture of "Evergreening"

Perhaps the most aggressive use of this new technology is the war on "Evergreening"—the practice of masking bad loans by giving a borrower a new loan to pay off the old one. In the past, this was the "Public Enemy No. 1" that hollowed out balance sheets.

Modern AI engines now scan "Related Party Clusters," tracking thousands of transactions to see if money is simply moving in a circle—from the bank to Company A, then to Company B, and finally back to the bank. By identifying these patterns in real-time, the RBI has forced banks to clean their balance sheets immediately rather than hiding Non-Performing Assets (NPAs) until they become unmanageable.

The "Golden Hour" of Cyber-Compliance

In 2026, the speed of commerce is matched only by the speed of cyber threats. The RBI’s "zero-tolerance" policy toward data breaches is exemplified by the strict 6-hour reporting window for significant incidents. For Tier I and II banks, a 24/7 Security Operations Centre (SOC) is now mandatory.

To meet these "Golden Hour" requirements, banks have built internal "War Rooms" where the Chief Information Security Officer (CISO) and Chief Compliance Officer (CCO) sit together. Automation is the only way to survive this environment; banks now use APIs to push data directly from their SOC to the RBI, ensuring that "human hesitation" or internal bureaucracy doesn't delay a report.

Integrating the Physical and the Digital

The 2026 approach recognizes that the "Bank Branch" and the "Bank App" are no longer separate worlds. The RBI now mandates Integrated Monitoring, where physical security—CCTV, fire sensors, and vaults—talks to digital security systems.

Consider the "Locker Scenario". In the past, locker fraud was often an inside job. Today, IoT sensors on vault doors are synced with the bank’s HR system. If a staff member’s biometric is used to open a vault while they are marked as "On Leave," the system physically locks the door and alerts the authorities. Mere "recording" of footage is no longer enough; "active verification" is the new standard.

Behavioural KYC: Ending the 10-Year Cycle

The traditional 10-year cycle for updating customer records is dead, replaced by Perpetual or Event-Based KYC. A student account that typically handles small UPI transfers will now be flagged instantly if it receives a foreign remittance of ₹50 lakhs. While "Static KYC" might label the student as low risk, "Behavioural KYC" identifies the anomaly as high risk. This may trigger a temporary restriction on debits until a Video-KYC (V-KYC) confirms the source of funds, preventing money laundering at "internet speed".

A Financial Incentive for Safety

Crucially, the RBI has turned compliance into a direct financial incentive through the Risk-Based Deposit Insurance Premium. Starting April 2026, banks with superior risk management and supervisory ratings pay lower premiums (8 paise per ₹100) compared to weaker institutions (12 paise). This forces Boards to treat compliance not as a legal obligation to be minimized, but as a core business strategy that directly impacts the bottom line.

The Human Element: Whistleblowing and Mis selling

Despite the focus on AI and data, the RBI has not ignored the human element. New standards for digitized whistleblowing ensure that internal IT teams cannot compromise the anonymity of employees. By hosting these portals on separate clouds and using "Zero-Knowledge Proofs," the system verifies an employee’s status without ever revealing their identity.

Furthermore, the RBI is using speech analytics to combat aggressive mis selling. AI now scans sales call recordings for forbidden phrases like "guaranteed 20% return" or "no risk". If a specific branch shows a pattern of complaints regarding a specific product, the system can automatically halt sales of that product at that location until an investigation is complete.

Conclusion: The Fabric of the Code

The "India Approach" to banking in 2026 is defined by proactive prevention rather than post-facto recovery. By shifting capital from "Audit Departments" to "Data Science Units," banks are moving compliance from the "Back Office" to the "Front Line".

This continuous, "biopsy-based" monitoring ensures that the Indian financial system remains resilient in the face of global volatility, AI-driven fraud, and rapid digitalization. For the global banking community, the message is clear: in the digital age, you cannot regulate by looking in the rearview mirror. You must be in the driver’s seat, watching the road in real-time.